• linkedin

Archives for : Flashboot

OpenBSD 5.0 ute nu

Idag släpps OpenBSD 5.0 vilket är riktigt roligt. Flashboot kommer ganska så snart uppgraderas för att klara av att bygga 5.0 och jag hoppas att det skall gå inom de närmsta dagarna.

Detta skrev Theo angående 5.0

Nov 1, 2011.

We are pleased to announce the official release of OpenBSD 5.0.
This is our 30th release on CD-ROM (and 31th via FTP). We remain
proud of OpenBSD’s record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.0 provides significant improvements,
including new features, in nearly all areas of the system:

– Improved hardware support, including:
o MSI interrupts for many devices, on those architectures which can
support them (amd64, i386, sparc64 only so far).
o A new dma_alloc(9) API makes it easier for kernel code to allocate
dma-safe memory. Many drivers (especially network drivers) and
subsystems (in particular scsi and the buffer cache) were adapted
to use this.
o As a result, big-memory support has been enabled on all possible
o The rather rare bce(4) driver now copies mbufs all the time, to cope
with the hardware having a 1GB limit.
o Added hds(4), a driver for Hitachi Modular Storage SCSI devices.
o Added myx(4), a driver for the Myricom Myri-10G 10GB Ethernet devices.
o Added dfs(4), a driver for Dynamic Frequency Switching on some macppc
o cardbus(4) and pcmcia(4) support on sgi.
o Suspend/resume support on Loongson Yeelong laptops.
o Interrupt handlers for bnx(4), em(4), ix(4) and sis(4) have been
improved reducing overhead and increasing performance.
o New acpitoshiba(4) driver providing ACPI support for Toshiba laptops.
o Added nvt(4), a driver for the W83795G and W83795ADG hardware monitor.
o Added support to sdhc(4) for the Ricoh 5U823 SD/MMC controller.
o A new fw_update(1) tool to install and update non-free firmware packages.

– Generic network stack improvements:
o Added support for sending Wake on LAN packets using arp(8).
o Permit turning Wake on LAN support on/off using ifconfig(8).
o Added Wake on LAN support to xl(4), re(4), and vr(4).
o Allow ftp-proxy to proxy across rdomains.
o The IPv4 stack will no longer accept ICMP redirects when
acting as a router.
o By default the IPv6 stack will not process ICMP6 redirects.
rtsol(8) will turn it back if -F is used.
o Reworked large parts of the dhclient(8) options processing for better
o Fixed carp(4) to work in IPv6 only setups.
o Make it possible to bind(2) to the local network broadcast address
on datagram and raw sockets.
o The default multicast reject route is now ignored if the UDP socket
uses the IP_MULTICAST_IF socket option.
o Make gre(4) work between systems in the same LAN.
o Removed the link1 mode special addressing mode on lo(4).
o New net.inet.tcp.always_keepalive sysctl, effectively enabling
SO_KEEPALIVE on all TCP sockets.

– Routing daemons and other userland network improvements:
o bgpd(8) no longer bumps the rlimits: the rc.d framework respects
login classes which is a much better solution.
o Correctly set the network filtersets on reload in bgpd(8).
o The routing socket is now sending RTM_DESYNC messages if the
socketbuffer overflows.
o Allow ospfd(8) to send out LS updates and other messages
larger than the MTU.
o Fixed nexthop calculation in ospfd(8) for directly connected P2P links.
o First bits to support opaque LSA in ospfd(8). Only basic redistribute
logic and LSDB handling for now.
o Creating new interfaces will no longer cause a fatal error in ospf6d(8).
o ospf6d(8) handles link-state changes better.
o Better loopback handling in ospf6d(8).
o No longer install extra multicast routes in ripd(8) and ldpd(8).
o Make kqueue(2) work with sosplice(9).
o Enabled sosplice(9) in relayd(8) for TCP.
o Added support for divert-to which provides some benefits over
rdr-to in relayd(8).
o Reload support in relayd(8) has been fixed.
o Fixed trap sending in snmpd(8).
o Make ping6(8) compare minimum amount of bytes between what
was received and what was sent out.
o Make traceroute(8) with type-of-service setted (-t) display
a message if the returned packet has a different tos type.
o Added the socket splicing fields of struct socket to netstat -vP output.
o tcpbench(1) now uses libevent and supports both TCP and UDP modes.
o TCP socket buffer sizes can now be displayed using the netstat(1) -B flag.
o tcpdump(8) can now filter on icmptype and tcpflags.
o bgplg(8) now supports “show ip bgp peer-as”.

– pf(4) improvements:
o Make pf(4) reassemble IPv6 fragments. In the forward case, pf
refragments the packets with the same maximum size.
o Allow pf(4) to filter on the rdomain a packet belongs to.
o Make pf(4) allow userland proxies to establish cross rdomain
proxy sessions.
o Added IPv6 ACK prioritization in pf(4).
o Change ‘set skip on <…>’ to work with interface groups.
o pfsync(4) supports IPv6 as network protocol.
o Switched ftp-proxy(8) over to divert-to instead of rdr-to.
o Switched tftp-proxy(8) over to divert-to instead of rdr-to.
o New very low overhead priority queueing implementation for pf(4) used via
the “prio” keyword.
o Support for least-states in load balancing pools and tables.
o Support for weighted round-robin in load balancing pools and tables.

– SCSI improvements:
o Most SCSI hardware drivers now use the new iopools infrastructure.
o scsi(4) devices are now all provided with a unique devid, which
is displayed during the probe process.
o ASC/ASCQ error codes and verbiage now in sync with
o Progress on iSCSI includes better login, better logout, preliminary
FSM support in iscsid(8), and improved logging and debug information.
o uk(4) can now safely and reliably detach an unknown SCSI device.
o SCSI multipath device and kernel support has been improved.
o vscsi(4) now ensures output always goes to the correct connection.
o vscsi(4) connections can now be reset gracefully.
o scsi(4) devices on fibre channel fabrics no longer inherit the adapter’s

– Assorted improvements:
o Kernel randomization speed and quality improved substantially.
o For additional security, security(8) was rewritten in Perl.
o Mandoc 1.11.4: Now accepts eqn(7) input (no fancy formatting yet)
and supports -Tutf8 output (but no utf8 input yet).
o Removed a variety of OS-compat emulation code, leaving just the Linux
o Small improvements to Linux compat (only available on i386).
o Improved our own pkg-config(1) implementation with extended comparison
scheme and implementing various new options.
o The math library, libm, was fully fleshed out to support all C99 required
parts. Many bugs for various architectures were fixed along the way.
o malloc(3) is a lot faster and has a few further security features (more
randomization, as well as the ‘S’ flag to enable all paranoia checks).
o ‘make depend’ is no longer neccessary in kernel compilation directories
since the dependencies are calculated automatically.
o Increased the default size of the buffer cache.
o kqueue(2) now works on /dev/random and spliced sockets
o On MBR-based disks, scan through up to 256 extended partition tables
when looking for an OpenBSD partition table.
o Added POSIX 2008 fdopendir(3) and openat(2) functions, as well as the
o Improved lint format string checks and added a few other checks.
o kdump(8) now dumps stat and sockaddr structures, sysctl mib
strings, and decodes syscall flags and operation bits.
o Improved kernel pool debug checking.
o Improved correctness of signals and various syscalls when rthreads
are in use.
o Kernel malloc(9) space and stacks moved to non-dma memory.
o Fixed some shutdown/reboot hangs on NFS clients.
o UNIX-domain socket paths are now guaranteed to be NUL-terminated.
o Added support for *wprintf(3), wcs{,n}casecmp(3), and wcsdup(3).
o NULL is now a (void *).
o grep(1) now supports a -H option to always print filename headers.
o Whitelist expiry for spamlogd(8) can now be configured via a -W flag.
o ls(1) now supports the POSIX -H option to follow symbolic links specified
on the command line.
o disklabel(8) now tries the next auto-allocation scheme if the current one
fails due to insufficient available partitions.
o bc(1) gained editline(3) support.
o Many enhancements and new functionality has been added to tmux(1).
o disklabel(8) supports absolute resizing of partitions in auto-allocated
o newfs(8) accepts k/m/g suffixes for the -S and -s options.

– Install/Upgrade process changes:
o Completed support for DUID disk installs, and enabled it fully.
o Install non-free firmwares from the internet upon first boot, based on a
question in the installer.
o svnd(4)-like behaviour became the default for vnd(4) devices. This is
what is used to build the media.

– rc.d(8) framework improvements:
o rc.d(8) is now also used for the base system daemons.
o Backward compatible with the historic way of starting daemons.
o Notify the user by appending (ok) or (failed) in interactive mode.
o Better diagnostics with the introduction of RC_DEBUG.

– OpenSSH 5.9:
o New features:
– Introduce sandboxing of the pre-auth privsep child using an
optional sshd_config(5) “UsePrivilegeSeparation=sandbox” mode
that enables mandatory restrictions on the syscalls the privsep
child can perform.
– Add new SHA256-based HMAC transport integrity modes from
These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512,
and hmac-sha2-512-96, and are available by default in ssh(1)
and sshd(8).
– The pre-authentication sshd(8) privilege separation slave process
now logs via a socket shared with the master process, avoiding
the need to maintain /dev/log inside the chroot.
– ssh(1) now warns when a server refuses X11 forwarding.
– sshd_config(5)’s AuthorizedKeysFile now accepts multiple paths,
separated by whitespace. The undocumented AuthorizedKeysFile2
option is deprecated (though the default for AuthorizedKeysFile
includes .ssh/authorized_keys2).
– sshd_config(5): similarly deprecate UserKnownHostsFile2 and
GlobalKnownHostsFile2 by making UserKnownHostsFile and
GlobalKnownHostsFile accept multiple options and default to
include known_hosts2.
– sshd_config(5)’s ControlPath option now expands %L to the host
portion of the destination host name.
– sshd_config(5) “Host” options now support negated Host matching.
– sshd_config(5): a new RequestTTY option provides control over
when a TTY is requested for a connection, similar to the existing
-t/-tt/-T ssh(1) commandline options.
– ssh-keygen(1): Add -A option. For each of the key types (rsa1,
rsa, dsa and ecdsa) for which host keys do not exist, generate
the host keys with the default key file path, an empty passphrase,
default bits for the key type, and default comment. This is useful
for system initialisation scripts.
– ssh(1): Allow graceful shutdown of multiplexing: request that
mux server removes its listener socket and refuse future
multiplexing requests but don’t kill existing connections. This
may be requested using “ssh -O stop …”.
– ssh-add(1): now accepts keys piped from standard input.
– Retain key comments when loading v.2 keys. These will be visible
in “ssh-add -l” and other places. (bz#439)
– ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as
IPv4 ToS/DSCP). (bz#1855)
o The following significant bugs have been fixed in this
– sshd(8): allow GSSAPI authentication to detect when a server-side
failure causes authentication failure and don’t count such failures
against MaxAuthTries. (bz#1244)
– ssh-keysign(8): now signs hostbased authentication challenges
correctly using ECDSA keys. (bz#1858)

– Over 7,200 ports, major robustness and speed improvements in package tools.
– Many pre-built packages for each architecture:
o i386: 7008 o sparc64: 6456
o alpha: 6046 o sh: 3721
o amd64: 6960 o powerpc: 6691
o sparc: 3277 o arm: 2963
o hppa: 6125 o vax: 1409
o mips64: 5689 o mips64el: 5709

– Some highlights:
o Gnome 2.32.2 o KDE 3.5.10
o Xfce 4.8.0 o MySQL 5.1.54
o PostgreSQL 9.0.5 o Postfix 2.8.4
o OpenLDAP 2.3.43 and 2.4.25 o Mozilla Firefox 3.5.19, 3.6.18 and 5.0
o Mozilla Thunderbird 5.0 o GHC 7.0.4
o LibreOffice o Emacs 21.4, 22.3 and 23.3
o Vim 7.3.154 o PHP 5.2.17 and 5.3.6
o Python 2.4.6, 2.5.4 and 2.7.1 o Ruby and
o Mono 2.10.2 o Chromium 12.0.742.122
o Groff 1.21

– As usual, steady improvements in manual pages and other documentation.
o Base system and Xenocara manuals are now installed as source code,
making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/.
o If both formatted and source versions of manuals are installed,
man(1) automatically displays the newer version of each page.

– The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.6 with xserver 1.9 + patches,
freetype 2.4.5, fontconfig 2.8.0, Mesa 7.8.2, xterm 270,
xkeyboard-config 2.3 and more)
o Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+patches)
o Perl 5.12.2 (+ patches)
o Our improved and secured version of Apache 1.3, with
SSL/TLS and DSO support
o OpenSSL 1.0.0a (+ patches)
o Sendmail 8.14.5, with libmilter
o Bind 9.4.2-P2 (+ patches)
o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
o Sudo 1.7.2p8
o Ncurses 5.7
o Heimdal 0.7.2 (+ patches)
o Arla 0.35.7
o Binutils 2.15 (+ patches)
o Gdb 6.3 (+ patches)

If you’d like to see a list of what has changed between OpenBSD 4.9
and 5.0, look at

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.
We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 5.0 FTP/CD-ROM binaries and the actual 4.9
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems — and we always provide patches as soon as
possible. Therefore, we advise regular visits to

Security patch announcements are sent to the
mailing list. For information on OpenBSD mailing lists, please see:
OpenBSD 5.0 is also available on CD-ROM. The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world. The set includes a colourful booklet which carefully explains the
installation of OpenBSD. A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol). As an added bonus, the second CD contains an audio
track, a song entitled “What Me Worry?”. MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

Profits from CD sales are the primary income source for the OpenBSD
project — in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.0 CD-ROMs are bootable on the following four platforms:

o i386
o amd64
o macppc
o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses. There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD’s
infrastructure needs. Contact the foundation directors at for more information.
The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them, too. We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.
If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP or HTTP downloads. Typically you need a single
small piece of boot media (e.g., a boot floppy) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet. Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via FTP or HTTP. With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of ftp/http
mirrors which provide OpenBSD, then choose one near you:

As of Nov 1, 2011, the following ftp mirror sites have the 5.0 release: Stockholm, Sweden Oldenburg, Germany Zurich, Switzerland Paris, France Vienna, Austria Brisbane, Australia CO, USA CA, USA Michigan, USA

The release is also available at the master site: Alberta, Canada

However it is strongly suggested you use a mirror.

Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/5.0/ which contains these files and directories.
This is a list of what you will see:

ANNOUNCEMENT armish/ mvme68k/ sparc64/
Changelogs/ ftplist mvme88k/ src.tar.gz
HARDWARE hp300/ packages/ sys.tar.gz
PACKAGES hppa/ ports.tar.gz tools/
PORTS i386/ root.mail vax/
README landisk/ sgi/ xenocara.tar.gz
alpha/ mac68k/ socppc/ zaurus/
amd64/ macppc/ sparc/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

HARDWARE – list of hardware we support
PORTS – description of our “ports” tree
PACKAGES – description of pre-compiled packages
root.mail – a copy of root’s mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:

INSTALL.i386 cd50.iso floppyB50.fs pxeboot*
INSTALL.linux cdboot* floppyC50.fs xbase50.tgz
MD5 cdbr* game50.tgz xetc50.tgz
base50.tgz cdemu50.iso index.txt xfont50.tgz
bsd* comp50.tgz install50.iso xserv50.tgz* etc50.tgz man50.tgz xshare50.tgz
bsd.rd* floppy50.fs misc50.tgz

If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs or install50.iso files. Consult the
INSTALL.i386 file if you don’t know which of the floppy images
you need (or simply fetch all of them).

If you use the install50.iso file (roughly 250MB in size), then you
do not need the various *.tgz files since they are contained on that
one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

This is the page where we talk about the mistakes we made while
creating the 5.0 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
you can use “fdimage.exe” located in the pub/OpenBSD/5.0/tools
directory to do so.
X.Org has been integrated more closely into the system. This release
contains X.Org 7.6. Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc. During installation, you can install
X.Org quite easily. Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.
The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 5.0 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).
A large number of binary packages are provided. Please see the PACKAGES
file ( for more details.
The CD-ROMs contain source code for all the subsystems explained
above, and the README (
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.0/ directory:

xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
Ports tree and package building by Jasper Lievisse Adriaanse,
Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler,
Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber.
System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat.
X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 5.0 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Alexander Bluhm, Alexander Hall, Alexander Schrijver,
Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers,
Bob Beck, Bret Lambert, Charles Longeau, Chris Kuethe,
Christian Weisgerber, Christiano F. Haesbaert, Claudio Jeker,
Dale Rahn, Damien Bergamini, Damien Miller, Darren Tucker,
David Coppa, David Gwynne, David Hill, David Krause, Edd Barrett,
Eric Faurot, Federico G. Schwindt, Felix Kronlage, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Henning Brauer, Ian Darwin,
Igor Sobrado, Ingo Schwarze, Jacek Masiulaniec, Jakob Schlyter,
Janne Johansson, Jason George, Jason McIntyre, Jason Meltzer,
Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Sing,
Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Jordan Hargrave, Joshua Stein,
Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller,
Landry Breuil, Laurent Fanis, Marc Espie, Marco Peereboom,
Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden,
Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus,
Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor,
Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth,
Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev,
Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
Remi Pointel, Reyk Floeter, Robert Nagy, Ryan Freeman,
Ryan Thomas McBride, Sasano, Sebastian Reitenbach, Simon Bertrang,
Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt,
Thordur I Bjornsson, Tobias Weingartner, Todd C. Miller, Todd Fries,
Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo

— Johan Ryberg